PIA: Port forwarding obtaining signature payload timeout

[MillsyBot]

Hello!

First off: thanks for making such a cool product!

Now to business: I have been using PIA (sans port forwarding) for sometime and have really enjoyed it. I am attempting now to add the port forwarding feature for a current use case that I have. I believe that I have configured things properly, however it is quite possible that I missed something. Here are the relevant environment variables

VPN_PORT_FORWARDING=on
FIREWALL_VPN_INPUT_PORTS=
VPN_ENDPOINT_PORT=
VPN_PORT_FORWARDING_PROVIDER=private internet access
FIREWALL_INPUT_PORTS=
VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/forwarded_port
VPN_PORT_FORWARDING_LISTENING_PORT=0

And here are the logs that I am getting.

2024-01-15T21:18:34-07:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-01-15T21:18:34-07:00 INFO [port forwarding] starting
2024-01-15T21:19:04-07:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.31.110.1:19999/getSignature?token=<token>": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I have verified on a few locations that claim they support port forwarding, however the results are the same. I attempted to reach the 10.31.110.1 port 19999 from inside the gluetun container, and that was also a bust.

Thanks in advance for any help. Sorry if this one is too obvious!

[qdm12]

Hi there! I am not sure, I was going to say this VPN server probably doesn't support port forwarding... What server hostname/ip are you using, just to double check? If anyone else has the same issue, please chime in as well, thanks!

[MillsyBot]

Hey! Thanks for the response.

SERVER_NAMES=vancouver433
SERVER_HOSTNAMES=ca-vancouver.privacy.network
SERVER_REGIONS=CA Vancouver

I have been using Vancouver to make the attempts, however I have cycled a few different servers in various regions (Venezuela, Mexico, Norway).

Is there a preferred or recommended order of preference on these variables? like only use SERVER_NAMES or use all three or use only one?

[ZulliB]

I have been dealing with the same issue for a while and here is the error I get:

gluetun-public  | 2024-01-29T12:14:05-08:00 WARN [port forwarding] Forwarded port data expired on Wed, 10 Jan 2024 16:56:07 UTC, getting another one
gluetun-public  | 2024-01-29T12:14:06-08:00 ERROR [vpn] port forwarding for the first time: refreshing port forward data: fetching port forwarding data: obtaining signature payload: Get "https://10.27.110.1:19999/getSignature?token=<token>": dial tcp 10.27.110.1:19999: connect: connection refused

I assume the token is actually being passed and the token isn't literal. here is my relevant options: (running the latest version)

      - VPN_TYPE=openvpn
      - OPENVPN_PROCESS_USER=root
      - VPN_SERVICE_PROVIDER=private internet access
      - SERVER_REGIONS=CA Vancouver
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=private internet access
      - PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET=strong
      - FIREWALL=on

Hope some of this helps. Thank you for a great application.

[anorth2]

+1 with connection refused . I confirmed I am using a server with port forwarding by manually testing in the PIA UI and receiving a forwarded port.

[anorth2]

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/
https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

[ZulliB]

This could be related @qdm12 :

https://www.reddit.com/r/PrivateInternetAccess/comments/p0n7ge/cant_get_signature_for_port_forwarding_connection/ https://github.com/triffid/pia-wg/blob/master/pia-portforward.sh#L70-L72

Nice find. One thing I noticed is that gluetun is trying to get the signature from the gateway, which makes sense according to PIA's comments here.
Although, in the actual request they use PF_HOSTNAME and not PF_GATEWAY here.
Even in the scripts you linked to appear to be using the domain name of the region server i.e. ca-vancouver.privacy.network

Hopefully it's not a red herring.

[qdm12]

@MillsyBot your error was Client.Timeout exceeded while awaiting headers so not connection refused, is this resolved now?

@anorth2 @ZulliB Your issue connection refused might be different from the original issue. If PIA port forwarding would be broken in Gluetun, I would expect more people to ask about it 🤔 Plus it was working before.
Since the gateway is 10.27.110.1, would you be using 10.0.0.0/8 as your local Docker bridge network for example? These can conflict with the gateway.

@ZulliB The curl command they have

curl -s -m 5 \
    --connect-to "$PF_HOSTNAME::$PF_GATEWAY:" \
    --cacert "ca.rsa.4096.crt" \
    -G --data-urlencode "token=${PIA_TOKEN}" \
    "https://${PF_HOSTNAME}:19999/getSignature"

Actually connects to PF_GATEWAY (see --connect-to), PF_HOSTNAME is just used as an alias and to validate the TLS name.

Anyway, I also changed code so it communicates with the public VPN server IP address instead of the local gateway for PIA, in image qmcgaw/gluetun:pr-2254 can you try it? Thanks!